Snort mailing list archives

Re: Eliminating rulesets

From: Jeff Elkins <jeff () elkins org>
Date: Sat, 9 Feb 2002 21:30:14 -0500

Thanks Phil :)

(six-pack of  virtual Beck's dark for you :)

Jeff


On Saturday 09 February 2002 08:11 pm, Phil Wood wrote:

Hmm,

On Sat, Feb 09, 2002 at 07:26:41PM -0500, Jeff Elkins wrote:

Thanks.

I'll research invert before I repost. Wouldn't want to make someone drink
an extra beer :)


% dict invert
       v 1: make an inversion (in a musical composition); "here the
            theme is inverted"
       2: turn inside out or upside down [syn: {reverse}]

What I meant to say was fix up a rules file which looks for attacks going
out from your site.  An easy way would be to:

 % sed -e 's/EXTERNAL_NET/XXX_NET/' -e 's/HOME_NET/EXTERNAL_NET/' <
web-iis.rules | sed -e 's/XXX_NET/HOME_NET/' > inverted-web-iis.rules

But, check the contents of your {EXTERNAL|HOME}_NET variables first.

Also, take another look at the various web alerts that triggered.  You
might see Forbidden or Connection closed ..., etc.

Or, is that another beer...

Jeff

On Saturday 09 February 2002 06:08 pm, you wrote:

On Sat, Feb 09, 2002 at 01:42:42PM -0500, Jeff Elkins wrote:

I'm not trying to promote alcohol usage, but I have a newbie
question:

I'm evaluating Snort on a Linux DSL/firewall box that also serves as
a mail server and webserver (Sendmail/Apache).  The boxen inside the
firewall are all Linux as well. I've commented out the
Microsoft-specific rulesets (IIS,Frontpage and Cold Fusion). Other
than statistics gathering, is there any reason I'd want them applied?


You might want to invert them.

I was getting a _bunch_ of IIS alerts before I turned them off, btw.

Thanks,

Jeff Elkins





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Eliminating rulesets Jeff Elkins (Feb 09)
- Sid ? Warrick FitzGerald (Feb 09)
  - Re: Sid ? Ryan Russell (Feb 09)
    - Re: Sid ? Warrick FitzGerald (Feb 09)
    - Re: Sid ? Warrick FitzGerald (Feb 09)
    - Re: Sid ? Tony Scalzitti (Feb 09)
- Re: Eliminating rulesets Phil Wood (Feb 09)
  - Re: Eliminating rulesets Jeff Elkins (Feb 09)
    - Re: Eliminating rulesets Phil Wood (Feb 09)
    - Re: Eliminating rulesets Jeff Elkins (Feb 09)